Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3649593imm; Fri, 19 Oct 2018 14:28:18 -0700 (PDT) X-Google-Smtp-Source: ACcGV62yK61nd31FmMl4jyb2qXyovpIFy5CvQucDValpzgB5YXlv0MnSpqqaMKnULUD2JUXyvtwW X-Received: by 2002:a63:145f:: with SMTP id 31-v6mr33263974pgu.35.1539984498830; Fri, 19 Oct 2018 14:28:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539984498; cv=none; d=google.com; s=arc-20160816; b=H4ltSW6feyvD6kzzchS9T+As7Bu3kLMByouOAskG1+Gx+A8r64HmXXLy3pk6Fln1qC WHWd1gtSg1Kllm2a05kpxOb/HBLokCkpDoUSnql0WqbkZJxjnXmAfas6avlq03qsH0Px b4YdbovYYX63Uc1OINpKv/eg+SzQjNHLeAB7YqEks9dML+MgiS2/yx607rL+6dH8JQMn prFjo/2kYuglL7cUi4AkQje15StY4d5DGmMgj3VVrs9V1cV0cf/Z2b516EJZwlemNWql RmUXB9lEqCMgMigxxbn7SLOJpRDDufDNDi52t6frFMTpSdAMFpfcuEhZpPIfNG8Rkhip RjaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3Fixb27unmXUYpicVVsBKcmASiV1ccbWyAzOM6v0khU=; b=Yeq2pJY+hF8L9DTCebjDkECu43gzLZtXf9hEsGrtYIF+pB2++Rws5rXbH09xCojnaH xP+zL6pM3qIOrRBH1pZU5tdbzB8I/RBYSWCZZq4iaYvwPoJ6KB38nk56k+vWtPrkl2Zc cVkTBbVvR31oy1+7mdnzKJvVkjgts+OHcIFnITZXHsRWEcN/5x8cpqOGAKx7LJYxuHt7 HXTybT+MubzhY3Lbo6gzCp+UEIA+oVeTXvu4C5x7fxNsZ1zxG1KZjIBLxUZol+gz9Uvp g/mhL0pm7Jefa53aOloNqVft/GXWLJoF/GRjN5Zc5fzN/yfuQ7gFoig7ZZpgAIzDWvPf OEWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=d+GY3kDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d1-v6si19019070pla.133.2018.10.19.14.27.33; Fri, 19 Oct 2018 14:28:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=d+GY3kDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727116AbeJTFd2 (ORCPT + 99 others); Sat, 20 Oct 2018 01:33:28 -0400 Received: from mta-p4.oit.umn.edu ([134.84.196.204]:45290 "EHLO mta-p4.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726609AbeJTFd2 (ORCPT ); Sat, 20 Oct 2018 01:33:28 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p4.oit.umn.edu (Postfix) with ESMTP id 3E2CE80C for ; Fri, 19 Oct 2018 21:25:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:in-reply-to:references:mime-version:received:received :received; s=20160920; t=1539984338; x=1541798739; bh=3Fixb27unm XUYpicVVsBKcmASiV1ccbWyAzOM6v0khU=; b=d+GY3kDZrATWkss03IB5W9x6E5 Y+O3P9ryc4YaF8i5VZlpiHSVgfJXVckVzpBXArTQg5dPsYAfJWyUO5FERAwes8Xe wxJDEXO6cI9wzgy/nrYZ7I+BJXH4E4UJqD/lLAMzR/vj50pvKDuovhmTPS98/9ko HkakGLmnfLXTEgyd/09l4xOub3HfYrOa9pRHWhwc4bDItB5loz7/QO9LXYm1w4k/ a6q/OlezUlVCBjOzIA5ZJGuo1l+1Yrdqc7iFt4W8In9IfQgz+xWc4t1Kasb61hDb vfRf2BJzyQP8eARXbQS2UXIbjxo3ZxKbpWwpbQ9hOFkPcpSo8kELf90toDbg== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p4.oit.umn.edu ([127.0.0.1]) by localhost (mta-p4.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Tv3Ug13DK2C for ; Fri, 19 Oct 2018 16:25:38 -0500 (CDT) Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p4.oit.umn.edu (Postfix) with ESMTPSA id 004E6126 for ; Fri, 19 Oct 2018 16:25:38 -0500 (CDT) Received: by mail-ot1-f49.google.com with SMTP id w67so34532441ota.7 for ; Fri, 19 Oct 2018 14:25:37 -0700 (PDT) X-Gm-Message-State: ABuFfoj46Ilq5y+sV5R8zFalRo9SZlRmLjR2tSSL7Rkk1qAg1m5jHyDI 9kL+kf2JG+ThN6L+9d3+jkht7jQrQUkoI9Z1Xmc= X-Received: by 2002:a9d:f61:: with SMTP id 88mr24064594ott.364.1539984337727; Fri, 19 Oct 2018 14:25:37 -0700 (PDT) MIME-Version: 1.0 References: <1539784829-1159-1-git-send-email-wang6495@umn.edu> <20181018091319.GT2302@lahna.fi.intel.com> In-Reply-To: <20181018091319.GT2302@lahna.fi.intel.com> From: Wenwen Wang Date: Fri, 19 Oct 2018 16:25:01 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] thunderbolt: Fix a missing-check bug To: mika.westerberg@linux.intel.com Cc: Kangjie Lu , andreas.noever@gmail.com, michael.jamet@intel.com, YehezkelShB@gmail.com, open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 18, 2018 at 4:13 AM Mika Westerberg wrote: > > Hi Wenwen, > > On Wed, Oct 17, 2018 at 09:00:29AM -0500, Wenwen Wang wrote: > > In tb_cfg_copy(), the header of the received control package, which is in > > the buffer 'pkg->buffer', is firstly parsed through parse_header() to make > > sure the header is in the expected format. In parse_header(), the header is > > actually checked by invoking check_header(), which checks the 'unknown' > > field of the header and the response route acquired through > > 'tb_cfg_get_route(header)'. If there is no error in this checking process, > > the package, including the header, is then copied to 'req->response' in > > tb_cfg_copy() through memcpy() and the parsing result is saved to > > 'req->result'. > > > > The problem here is that the whole parsing and checking process is > > conducted directly on the buffer 'pkg->buffer', which is actually a DMA > > region and allocated through dma_pool_alloc() in tb_ctl_pkg_alloc(). Given > > that the DMA region can also be accessed directly by a device at any time, > > it is possible that a malicious device can race to modify the package data > > after the parsing and checking process but before memcpy() is invoked in > > tb_cfg_copy(). Through this way, the attacker can bypass the parsing and > > checking process and inject malicious data. This can potentially cause > > undefined behavior of the kernel and introduce unexpected security risk. > > Here the device doing DMA is the Thunderbolt host controller which is > soldered on the motherboard (not anything connected via the TBT ports). > In addition the buffers we are dealing here are already marked ready by > the host controller hardware so it is not expected to touch them anymore > (if it did, then it would be a quite nasty bug). > > What kind of use-case you had in mind that could possibly inject > malicious data to these buffers? Hi Mika, Thanks for your response. The current version of the code assumes that the Thunderbolt controller behaves as expected, e.g., the host controller should not touch the data after it is marked ready. However, it is not impossible that the controller is exploited by an attacker through a security vulnerability, even though it is soldered on the motherboard. In that case, the controller may behave in an unexpected way and this bug will offer more opportunities for the attacker. Wenwen